Media Centre

Bolstering the Privacy Bulwarks

The Inaugural Newfoundland and Labrador Access and Privacy Privacy Commissioner of Canada

May 31, 2007
St. John's, Newfoundland

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

I am very pleased to be here today for what I hope will be the first of many access and privacy conferences in Newfoundland and Labrador.

Access to information and privacy are not static subjects.  And they are often seen, erroneously to my mind, as antagonistic values. On the contrary, both are essential components of information rights and my fellow commissioner, Information Commissioner Robert Marleau and I plan to work together on the renewal of these rights in the federal sector.

New developments continually swirl around these subjects: new technologies, new uses for older technologies, new political pressures and new global realities. Ours is an increasingly complex world, and the various players involved in access to information and privacy policy and practice need a forum such as this.

As part of trying to better understand that complex world, my Office established a Contributions Program in 2004 to support research into, as well as the promotion of, the protection of personal information.  Many of you will be aware of our $45,000 contribution under this program to Memorial University to deal with privacy in the health care sector. This funding will help the Memorial team examine the influence of technology choices on policy development, as well as the influence of policy choices on technology development.

My Office is also developing a plan to enhance our presence in Atlantic Canada.  The idea is they will work closely with the privacy protection ombudsmen in Atlantic Canada and take on more locally targeted public education and outreach efforts, particularly with small businesses.

This pilot project will be led by our new director of research analysis and stakeholder relations, Liz Denham, who many of you know from her work in the Alberta Commissioner’s office.

I would like to speak today about two issues.  One is the impact of the Federal Accountability Act on the operations of my Office.  Because of this legislation, my Office is for the first time subject to the Access to Information Act and the Privacy Act.   The organizers of this event have also asked me to speak about another important phenomenon that is threatening privacy in many ways – “pretexting.” I am supposed to know a lot about this.

Today, pretexting has taken on a whole new, and more sinister, dimension, thanks in large part to the Internet and the often poorly protected databases containing the personal information of millions of individuals.  A pretexter, armed with some information about a person, is able to obtain additional information about the person from an organization. This is typically accomplished by pretending to be the person whose information is being sought, by pretending to be a relative or agent of the person, or by pretending to be an employee or someone authorized to obtain the information.

Pretexting may be used simply to get personal information about individuals, with no goal of monetary gain.  Other times, the goal is clearly financial gain. 

But let me be a little bit less clinical about pretexting for a minute.  I say this because an article I read in the New York Times a few weeks ago reminded me that pretexting is not just about statistics.  It is about real people, often vulnerable people.  And the failure of the private sector to respect the fair information principles at the root of all privacy laws can sometimes increase the vulnerability of these people.

The New York Times story centered on an elderly American war veteran who had recently lost his spouse.  Understandably, he was lonely, and he became easy prey for telemarketers who wanted to pry information from him and get him to enroll in schemes such as contests that would provide even more information about him.  He also became easy prey for pretexters who wanted information that would help them defraud him.

How did the fraudsters find out about this elderly veteran in the first place?  The newspaper reports that his name was among the millions that one American list broker sold to companies that were under investigation for fraud.  According to the story, the pretexters operated from around the world, including Canada.  Working from these lists of names and phone numbers provided by the list broker, they called World War II veterans, retired schoolteachers and thousands of other elderly Americans and posed as government and insurance workers updating their files. Armed with the sensitive personal information these vulnerable people provided, the pretexters then attempted to empty their victims’ bank accounts.  The retired veteran who was the subject of the New York Times story reportedly lost over $100,000 this way.

We cannot prevent criminals from preying on the elderly, the lonely and the naïve.  But this case appears at first blush to be a case of a list broker playing a key role – perhaps innocently or, more likely, negligently – to facilitate a massive pretexting operation. The next time a list broker argues that they just provide information to others, you might want to remind them of how that information can play into a web of deceit. 

This story also illustrates what we are too often tempted to forget – that failing to protect privacy has real consequences.  Complying with privacy rules is not just about securing compliance with some burdensome regulation.  It is about ensuring that individuals have a choice about with whom they want to share the sometimes intimate details of their lives.  The consequence of failing to respect this principle can be profoundly harmful. 

Pretexting is also an issue for government, something that the many of you working in government must remember. 

Pretexting is one of several techniques that criminals use to obtain the information they need to commit identity theft.  Like pretexting, identity theft involves pretending to be someone else.  It is perhaps the ultimate invasion of someone’s privacy, as the identity thief conducts financial transactions and claims government benefits in the name of the victim.  We don’t have reliable statistics on identity theft in Canada.

PhoneBusters, a Canadian anti-fraud call centre operated jointly by the Ontario Provincial Police (OPP) the Royal Canadian Mounted Police (RCMP) and other agencies, provides statistics on identity theft dating back to 2002.  These statistics provide a useful indicator of trends.

PhoneBusters received calls from some 7,800 identity theft victims reporting losses to themselves and to businesses totalling more than $16 million in 2006. However, PhoneBusters acknowledges those statistics do not capture the whole picture. It estimates the numbers represent only a small percentage – perhaps five per cent – of the actual figures for identity theft.

Identity theft can leave individuals traumatized.  Those who have their identity stolen suffer serious disabilities in the conduct of their day-to-day lives.  The identity thief may have committed criminal acts using the identity of the true owner of that identity.  How does the innocent person persuade police and other government agencies that he or she is not in fact the person who committed the offence?  This can be a near-impossible task. 

Confronting pretexting is therefore one way for organizations and government bodies to reduce the risk of identity theft involving their clients.  Organizations can defeat pretexting by using appropriate procedures to ensure that individuals requesting information are who they claim to be.  If we want to use the expensive word for this, it is called “authentication.”  Authentication processes can contribute to the protection of privacy by reducing the risk of unauthorized disclosures.

Fighting pretexting is not only good business sense.  It is also a legal obligation.  As with many privacy laws, Canada’s federal private sector data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA), generally allows organizations to disclose personal information only with the consent of the individual to whom the information relates. If an organization negligently gives information to someone posing as the individual to whom the information relates, that is a violation of PIPEDA.  In addition, PIPEDA requires organizations to protect personal information with security safeguards appropriate to the sensitivity of the information. In order to comply with these requirements, organizations may need to take measures against pretexting to protect that information. 

The federal Privacy Act also limits the disclosure of personal information.  In general, those institutions can disclose personal information only if the person to whom it relates has consented to the disclosure.  Individuals are allowed access only to their own personal information, and institutions may not generally disclose that information to anyone else.  Government institutions therefore need to take measures to ensure that they are not disclosing information or giving access to information on the basis of someone pretending to be the person to whom the information relates.

Pretexting as such is not an offence in Canada.  It only becomes an offence if it can be established that the person used pretexting for fraudulent purposes.  One Member of Parliament, Mr. James Rajotte, attempted to fill this gap with a private member’s bill, C-299, An Act to Amend the Criminal Code, the Canada Evidence Act and the Competition Act (personal information obtained by fraud).  I have voiced my support for his efforts on several occasions during the past year.  As originally drafted, it addressed obtaining personal information from a third party by means of a false pretence or fraud. 

Changes were proposed to the bill in Committee to address a number of concerns, including the view that criminalizing pretexting may not be appropriate. I was pleased that Mr. Rajotte’s bill has raised some fundamental questions about the most appropriate way to further this objective. The Standing Committee on Finance did however recommend in February the “the Minister of Justice take actions necessary to include the offence commonly known as “identity theft” in the Criminal Code.”

I have attempted to address pretexting through a combination of public education and guidelines.  Last October, my Office released guidelines that provide advice on authentication procedures – that is, procedures to help prove that the person is who he or she says they are.  The guidelines are intended to help organizations devise methods of authenticating customers in ways that respect the fair information practices in PIPEDA and that ensure compliance with its security provisions by providing the strongest protection for customers’ personal information.  Following these guidelines will reduce the risk of falling victim to pretexting. 

The complete guidelines are set out on our website.  Let me give you just a taste of what they say.  First, they recommend that an organization subject to PIPEDA should require individuals to give evidence to prove their identity – in other words, to “authenticate” themselves only when the nature of the transaction makes it necessary. In simple terms, a corner store owner doesn’t need proof of identity of the person buying a chocolate bar.  In fact, knowing the person’s identity is completely unnecessary. Pretexting is not an issue here.

The Guidelines recommend that organizations should only authenticate to the extent necessary.  In other words, you don’t need to ask someone who is applying for a student bus pass to give intimate details of their lives – where they were born, or their Social Insurance Number.  In most cases, presentation of what appears to be a valid student card would suffice.  That is clearly not bulletproof evidence that the person is a student, but it is likely sufficient for the purpose at hand.

The level of authentication required – the amount of proof you need to give of your identity, in other words – should be commensurate with the risk involved.  In general, the higher the risk involved if you incorrectly identify someone, the greater the evidence of identity that should be required.  For example, access to various financial services would normally require a greater degree of authentication than would applying for a student bus pass.  The greater degree of certainty about identity required in relation to financial services simply reflects the more sensitive nature of such transactions and the scope for economic loss to the individual if an imposter intervenes.

The guidelines also recommend that organizations regularly measure attempted attacks, breakdowns, and losses as part of a structured threat- and risk-assessment program, and evaluate customer awareness of and confidence in the authentication processes in place.  Organizations should also ensure that all customer service representatives and other employees who have access to personal information receive appropriate training on the importance of protecting customers’ personal information, including the importance of protecting it from unauthorized access and disclosure.

As part of the ongoing training for customer service representatives, organizations should provide training on authentication policies and processes including examples of potential threats to privacy, such as “pretexting.” The training should be updated to reflect policy and process changes and new threats.

Beyond Pretexting

Addressing pretexting is one of a package of measures that, if wisely applied, can protect privacy and prevent the damage that can occur through identity theft.  Besides educating employees about pretexting, we need to help members of the public understand how their identity can be at risk from identity thieves.  For example, we want to avoid members of the public falling prey to the phenomenon known as “phishing” – that’s “phishing” with a “ph,” not an “f.” 

“Phishing” can occur when someone fraudulently sends an individual an email appearing to originate, for example, from the individual’s bank.  The email asks the individual to visit a web site disguised to look like that of the legitimate bank and provide their account number and password.  Armed with this information, the identity thief is home free to conduct banking transactions in the name of the victim.  We need to educate the public about the phishing phenomenon and about the need to be appropriately cautious when someone asks for sensitive personal information.

Canadians also need to understand that phishing can also involve sending emails purporting to originate from government departments.  In recent months, the Canada Revenue Agency has seen “phishers” posing online as representatives of the CRA attempt to obtain sensitive personal information from Canadians.  This is a problem that all levels of government will face – how to facilitate legitimate e-government transactions with citizens while ensuring that those same citizens do not fall prey to fraudulent email purporting to come from government. 

 Impact of the Federal Accountability Act

I would like to turn to one other major development – the new transparency rules affecting my Office.  Until the Federal Accountability Act provisions relating to my Office came into force on April 1 – I hope there is no hidden significance to that date – my Office was not subject to the Access to Information Act or the Privacy Act.  The Federal Accountability Act has increased the transparency and accountability of government by making agents and officers of Parliament, including the Office of the Privacy Commissioner, subject to the Access to Information Act and the Privacy Act.  This bill brings the first wave of important new amendments to the Access to Information Act and the Privacy Act since they became law in 1983. 

Access to Information

Even before the Federal Accountability Act was passed in December of 2006, and even before we became formally subject to the Access to Information Act last month, my Office has been responding  to access to information requests in the spirit of the access legislation.  In fact, we have processed at least ten access to information requests in that fashion.  This initiative was started by interim Privacy Commissioner Robert Marleau in 2003.
The transition to processing requests under the Access to Information Act is proceeding smoothly. 
Since we became formally subject to the access legislation at the start of April, we have received four access requests – three in April and one in May.  We have not been overwhelmed by requests, but there may be circumstances in future that give rise to larger numbers of access requests. 

My Office has tried to run an exceedingly tight ship, particularly given the apparent excesses within the Office of the past.  It is telling that it was Robert Marleau who was appointed as Interim Commissioner to begin the hard work of straightening things out prior to my appointment.  Mr. Marleau, as you know, was recently appointed Information Commissioner of Canada. 

We are not perfect; we are a human institution.  However, we have been true to our mandate in a complex environment – and we respect the rights of Canadians to know not only what we are doing, but how we are doing it. That is both the price of transparency and the beauty of transparency.  In the short term, that transparency can be challenging to manage, but in the long term it can make for better government.

Extension of the Privacy Act

As of April 1, 2007, my Office became subject to the Privacy Act as well.  Before that, it was a bit of an oddity that my Office, which oversaw the application of the Privacy Act, was nonetheless not subject to its provisions on the collection, use and disclosure of personal information.  Nor could an individual apply under the Privacy Act for access to the personal information we held about them.

Conclusion

We live in an unavoidably complex world of changing risks and evolving threats to our privacy.  We need to make use of all the tools at our disposal to protect our privacy – data protection legislation that is up to date, criminal law, technology, public education, and audits of private sector and government institution information handling practices. 

As I said at the outset, I hope this is the first of many access and privacy conferences in Newfoundland and Labrador.  In some ways, despite the depth and richness of your history, you are the new kids on the block in privacy matters.  You have the advantage of being able to watch the mistakes that we have all made elsewhere in Canada, so that when the privacy provisions of the Access to Information and Protection of Privacy Act come into force, you can get it right.  I wish you all the best in your quest to do just that.

In closing, I would like to invite all of you to another conference – one that my Office is hosting this fall in Montreal. The 29th International Conference of Data Protection and Privacy Commissioners will feature workshops and interactive roundtables dealing with difficult issues such as data mining, authentication and identity management in our interconnected world. The emphasis is on offering practical advice.

The event will provide an opportunity for some of the world’s top privacy experts to map out plans for addressing some of the most troubling emerging issues in our field. I hope we’ll have a strong contingent of Atlantic Canadians to help us in this crucial work.